Friday, June 20, 2008

Top 5 questions to get webappsec threads spinning out of control

1. Should all Web traffic be SSL'ed or only username/passwords?2. Black box vs. white box testing, which is better?3. Ask anything about a WAF.4. What are the best-practices for conducting password recovery?5. Which certification should I get? CISSP?

21 comments:

5 million software quality engineers, and 400 million developers over 30 years of science and statistics all think that white-box is better. Note that white-box dynamic analysis such as dynamic taint tracking is not black-box.

Ask anything about a WAF

When are they going away?

What are the best-practices for conducting password recovery?

Search owasp.org for answers.

Which certification should I get? CISSP?

None. Until the OWASP People Certification is available, and then you should get it.

I will have to agree with mikea, except on his answer for 5. I do believe that the CISSP does offer a good overall knowledge of security and its many facets. Although the test and material in itself does not go very deep, a good overarching understanding of security has never hurt anyone, especially security professionals. Maybe I am biased because I am about to take the test, but just my opinion. Take it for what it is.

By the way, way to let your blog run rampant Jeremiah. Do you plan on being at OWASP Boston?

Sadly - most of those have been circulating no the WASC WebAppSec mailing list for the past few months. I think honestly, these are important questions but are much like the "which flavor of Linux is better?" topic - which inevitably ignites something of a religious war.

At least I haven't heard someone say that PHP is the most secure programming language :)

... by the way, Andre - You're just plain retarded if you honestly believe that *all* web traffic should be SSL'd (as you indicate). If you SSL'd all web traffic you wouldn't be able to do intrusion/anomaly detection, not to mention the overhead you'd cause in both processing power and bandwidth needed... anyway - way to think bigger-picture. Sorry - I'm just annoyed with your comments, as you obviously have zero real-world experience. As always ... "Arguing on the Internet is like running the Special Olympics, even if you win, you're still retarded."

I've had many people, formerly or currently with GE and HP talk about how you "have no real world experience" and you "are a troll". Since I know where you've worked and talked with your current or former co-workers -- and you appear to know nothing about me, I guess this settles that argument, no?

Also -- I am retarded, my IQ is probably half of yours. I got under a 900 on the SAT. My reading level is stuck in 11th grade. I guess being smarter doesn't actually help you understand security, let alone make you into a nice person.

At some point, data security might progress to the point where we can have functionality and assurance at the HTTP layer. Right now, how do we know that any certain transaction contains or does not contain sensitive or control information?

The way that HTML, CSS, Javascript, Flash, Java applets, QuickTime, and RealPlayer/MediaPlayer execute in the browser today means that HTTP is a control channel from the content to the browser. Since any control information can basically come from anywhere, TLS/SSL is one of the only ways to provide confidentiality to that data, and to prevent MITM type attacks.

Of course, SSL/TLS is only one method of helping for this; and it's not perfect either. However, it's ubiquitous, easy, and it solves a lot of problems.

In the way that web application attacks can be used together -- I think that SSL/TLS as a defense works great along with other protections and defenses.

1. Not all, but probably all POST based, assuming GET is being used right.2. White box, because it somewhat addresses the insider threat and is likely to find anything black box would find anyway.3. How can positive security based on network admins communicating with developers ever work, when positive firewall security (especially deny all outbound) based on network admins communicating with sysadmins never really worked right to begin with? Developers are far more antisocial and insular.4. Make sure you have the permission of the machine owner, or at least enough plausible deniability or political clout to not have to care.5. The best jobs come from connections, and those people are going to drag you right past HR anyway, so certifications only matter if you're in a slump or are trying to coast.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!